OWASP Application Security Verification Standard

Level 1 Requirements

ASVS No. Categories Sub Categories Requirements CWE Compliance Remark

2 Authentication Verification - - -
Requirements
2.1 Authentication Verification Password Security - -
Requirements Requirements
2.1.1 Authentication Verification Password Security Verify that user set passwords are at least 12 characters in length. (C6) 521 Comply
Requirements Requirements
2.1.2 Authentication Verification Password Security Verify that passwords 64 characters or longer are permitted. (C6) 521 Comply
Requirements Requirements
2.1.3 Authentication Verification Password Security Verify that passwords can contain spaces and truncation is not performed. Consecutive multiple spaces 521 Comply
Requirements Requirements MAY
2.1.4 Authentication Verification Password Security optionally
Verify that be coalesced.
Unicode (C6) are permitted in passwords. A single Unicode code point is considered a
characters 521 Comply
Requirements Requirements character, so 12 emoji or 64 kanji characters should be valid and permitted.
2.1.5 Authentication Verification Password Security Verify users can change their password. 620 Comply
Requirements Requirements
2.1.6 Authentication Verification Password Security Verify that password change functionality requires the user's current and new password. 620 Comply
Requirements Requirements
2.1.7 Authentication Verification Password Security Verify that passwords submitted during account registration, login, and password change are checked 521 Not Applicable
Requirements Requirements against a
set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords
which match the system's password policy) or using an external API. If using an API a zero knowledge
proof or other mechanism should be used to ensure that the plain text password is not sent or used in
verifying the breach status of the password. If the password is breached, the application must require
2.1.8 Authentication Verification Password Security the user
Verify to aset
that a new nonbreached
password password.
strength meter (C6) to help users set a stronger password.
is provided 521 Not Applicable
Requirements Requirements
2.1.9 Authentication Verification Password Security Verify that there are no password composition rules limiting the type of characters permitted. There 521 Comply
Requirements Requirements should be
2.1.10 Authentication Verification Password Security no requirement
Verify that therefor
areupper or lower
no periodic case or numbers
credential rotation or
or special
passwordcharacters. (C6)
history requirements. 263 Comply
Requirements Requirements
2.1.11 Authentication Verification Password Security Verify that "paste" functionality, browser password helpers, and external password managers are 521 Comply
Requirements Requirements permitted.
2.1.12 Authentication Verification Password Security Verify that the user can choose to either temporarily view the entire masked password, or temporarily 521 Comply
Requirements Requirements view the
2.2 Authentication Verification General Authenticator -last typed character of the password on platforms that do not have this as native functionality. -
Requirements Requirements
2.2.1 Authentication Verification General Authenticator Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, 307 Comply
Requirements Requirements and
account lockout attacks. Such controls include blocking the most common breached passwords, soft
lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or
risk-based restrictions such as location, first login on a device, recent attempts to unlock the account,
2.2.2 Authentication Verification General Authenticator or similar.
Verify that Verify
the usethat no more
of weak than 100 failed
authenticators attempts
(such as SMS per
andhour is possible
email) is limitedontoasecondary
single account
verification 304 Comply
Requirements Requirements and
transaction approval and not as a replacement for more secure authentication methods. Verify that
stronger methods are offered before weak methods, users are aware of the risks, or that proper
2.2.3 Authentication Verification General Authenticator measures
Verify thatare in place
secure to limit the
notifications arerisks
sentoftoaccount compromise.
users after updates to authentication details, such as credential 620 Not Applicable
Requirements Requirements resets, email or address changes, logging in from unknown or risky locations. The use of push
notifications - rather than SMS or email - is preferred, but in the absence of push notifications, SMS or
email is acceptable as long as no sensitive information is disclosed in the notification.
2.3 Authentication Verification Authenticator Lifecycle - -
Requirements Requirements
2.3.1 Authentication Verification Authenticator Lifecycle Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, 330 Comply
Requirements Requirements SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short
period of time. These initial secrets must not be permitted to become the long term password.
2.5 Authentication Verification Credential Recovery - -
Requirements Requirements
2.5.1 Authentication Verification Credential Recovery Verify that a system generated initial activation or recovery secret is not sent in clear text to the user. (C6) 640 Comply
Requirements Requirements
ASVS No. Categories Sub Categories Requirements CWE Compliance Remark
2.5.2 Authentication Verification Credential Recovery Verify password hints or knowledge-based authentication (so-called "secret questions") are not present. 640 Comply
Requirements Requirements
2.5.3 Authentication Verification Credential Recovery Verify password credential recovery does not reveal the current password in any way. (C6) 640 Comply
Requirements Requirements
2.5.4 Authentication Verification Credential Recovery Verify shared or default accounts are not present (e.g. "root", "admin", or "sa"). 16 Comply
Requirements Requirements
2.5.5 Authentication Verification Credential Recovery Verify that if an authentication factor is changed or replaced, that the user is notified of this event. 304 Not Applicable
Requirements Requirements
2.5.6 Authentication Verification Credential Recovery Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as TOTP or 640 Comply
Requirements Requirements other
2.7 Authentication Verification Out of Band Verifier -soft token, mobile push, or another offline recovery mechanism. (C6) -
Requirements Requirements
2.7.1 Authentication Verification Out of Band Verifier Verify that clear text out of band (NIST "restricted") authenticators, such as SMS or PSTN, are not offered 287 Not Applicable
Requirements Requirements by
2.7.2 Authentication Verification Out of Band Verifier default,that
Verify andthe
stronger alternatives
out of band verifier such as push
expires notifications
out of are offered
band authentication first. codes, or tokens after 10
requests, 287 Comply
Requirements Requirements minutes.
2.7.3 Authentication Verification Out of Band Verifier Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and 287 Comply
Requirements Requirements only for
2.7.4 Authentication Verification Out of Band Verifier the original
Verify authentication
that the request.
out of band authenticator and verifier communicates over a secure independent channel. 523 Comply
Requirements Requirements
2.8 Authentication Verification Single or Multi Factor One - -
Requirements Time Verifier Requirements
2.8.1 Authentication Verification Single or Multi Factor One Verify that time-based OTPs have a defined lifetime before expiring. 613 Not Applicable
Requirements Time Verifier Requirements
3 Session Management - - -
Verification Requirements
3.1 Session Management Fundamental Session - -
Verification Requirements Management Requirements
3.1.1 Session Management Fundamental Session Verify the application never reveals session tokens in URL parameters or error messages. 598 Comply
Verification Requirements Management Requirements
3.2 Session Management Session Binding - -
Verification Requirements Requirements
3.2.1 Session Management Session Binding Verify the application generates a new session token on user authentication. (C6) 384 Comply
Verification Requirements Requirements
3.2.2 Session Management Session Binding Verify that session tokens possess at least 64 bits of entropy. (C6) 331 Comply
Verification Requirements Requirements
3.2.3 Session Management Session Binding Verify the application only stores session tokens in the browser using secure methods such as 539 Comply
Verification Requirements Requirements appropriately
3.3 Session Management Session Logout and Timeout -secured cookies (see section 3.4) or HTML 5 session storage. -
Verification Requirements Requirements
3.3.1 Session Management Session Logout and Timeout Verify that logout and expiration invalidate the session token, such that the back button or a downstream 613 Comply
Verification Requirements Requirements relying party does not resume an authenticated session, including across relying parties. (C6)
3.3.2 Session Management Session Logout and Timeout If authenticators permit users to remain logged in, verify that re-authentication occurs periodically (30 613 Comply
Verification Requirements Requirements days)
3.4 Session Management Cookie-based Session -both when actively used or after an idle period. (C6) -
Verification Requirements Management
3.4.1 Session Management Cookie-based Session Verify that cookie-based session tokens have the 'Secure' attribute set. (C6) 614 Comply
Verification Requirements Management
3.4.2 Session Management Cookie-based Session Verify that cookie-based session tokens have the 'HttpOnly' attribute set. (C6) 1004 Comply
Verification Requirements Management
3.4.3 Session Management Cookie-based Session Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site 16 Comply
Verification Requirements Management request
3.4.4 Session Management Cookie-based Session forgerythat
Verify attacks. (C6)
cookie-based session tokens use " Host-" prefix (see references) to provide session cookie 16 Comply
Verification Requirements Management confidentiality.
3.4.5 Session Management Cookie-based Session Verify that if the application is published under a domain name with other applications that set or use 16 Comply
Verification Requirements Management session
cookies that might override or disclose the session cookies, set the path attribute in cookie-based
3.7 Session Management Defenses Against Session -session tokens using the most precise path possible. (C6) -
Verification Requirements Management Exploits
ASVS No. Categories Sub Categories Requirements CWE Compliance Remark
3.7.1 Session Management Defenses Against Session Verify the application ensures a valid login session or requires reauthentication or secondary 778 Comply
Verification Requirements Management Exploits verification before allowing any sensitive transactions or account modifications.
4 Access Control Verification - - -
Requirements
4.1 Access Control Verification General Access Control - -
Requirements Design
4.1.1 Access Control Verification General Access Control Verify that the application enforces access control rules on a trusted service layer, especially if 602 Comply
Requirements Design client-side access control is present and could be bypassed.
4.1.2 Access Control Verification General Access Control Verify that all user and data attributes and policy information used by access controls cannot be 639 Comply
Requirements Design manipulated by end users unless specifically authorized.
4.1.3 Access Control Verification General Access Control Verify that the principle of least privilege exists - users should only be able to access functions, data 285 Comply
Requirements Design files, URLs, controllers, services, and other resources, for which they possess specific authorization. This
implies protection against spoofing and elevation of privilege. (C7)
4.1.4 Access Control Verification General Access Control Verify that the principle of deny by default exists whereby new users/roles start with minimal or 276 Comply
Requirements Design no permissions and users/roles do not receive access to new features until access is explicitly
4.1.5 Access Control Verification General Access Control Verify that access controls fail securely including when an exception occurs. (C10) 285 Comply
Requirements Design
4.2 Access Control Verification Operation Level Access - -
Requirements Control
4.2.1 Access Control Verification Operation Level Access Verify that sensitive data and APIs are protected against direct object attacks targeting creation, 639 Comply
Requirements Control reading, updating and deletion of records, such as creating or updating someone else's record,
viewing everyone's records, or deleting all records.
4.2.2 Access Control Verification Operation Level Access Verify that the application or framework enforces a strong anti-CSRF mechanism to protect 352 Comply
Requirements Control authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated
4.3 Access Control Verification Other Access Control - -
Requirements Considerations
4.3.1 Access Control Verification Other Access Control Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use. 419 Comply
Requirements Considerations
4.3.2 Access Control Verification Other Access Control Verify that directory browsing is disabled unless deliberately desired. Additionally, applications 548 Comply
Requirements Considerations should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db,
.DS_Store, .git or .svn folders.
5 Validation, Sanitization - - -
and Encoding Verification
Requirements
5.1 Validation, Sanitization Input Validation - -
and Encoding Verification Requirements
Requirements
5.1.1 Validation, Sanitization Input Validation Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the 235 Comply
and Encoding Verification Requirements
application framework makes no distinction about the source of request parameters (GET, POST,
Requirements
cookies, headers, or environment variables).
5.1.2 Validation, Sanitization Input Validation Verify that frameworks protect against mass parameter assignment attacks, or that the application 915 Comply
and Encoding Verification Requirements has countermeasures to protect against unsafe parameter assignment, such as marking fields
Requirements private or similar. (C5)
5.1.3 Validation, Sanitization Input Validation Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch 20 Comply
and Encoding Verification Requirements files, RSS
Requirements feeds, etc) is validated using positive validation (whitelisting). (C5)
5.1.4 Validation, Sanitization Input Validation Verify that structured data is strongly typed and validated against a defined schema including allowed 20 Comply
and Encoding Verification Requirements characters, length and pattern (e.g. credit card numbers or telephone, or validating that two related
Requirements fields are reasonable, such as checking that suburb and zip/postcode match). (C5)
5.1.5 Validation, Sanitization Input Validation Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when 601 Comply
and Encoding Verification Requirements redirecting to potentially untrusted content.
Requirements
5.2 Validation, Sanitization Sanitization and Sandboxing - -
and Encoding Verification Requirements
Requirements
5.2.1 Validation, Sanitization Sanitization and Sandboxing Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an 116 Comply
and Encoding Verification Requirements HTML
Requirements sanitizer library or framework feature. (C5)
ASVS No. Categories Sub Categories Requirements CWE Compliance Remark
5.2.2 Validation, Sanitization Sanitization and Sandboxing Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and 138 Comply
and Encoding Verification Requirements length.
Requirements
5.2.3 Validation, Sanitization Sanitization and Sandboxing Verify that the application sanitizes user input before passing to mail systems to protect against SMTP 147 Comply
and Encoding Verification Requirements or
Requirements IMAP injection.
5.2.4 Validation, Sanitization Sanitization and Sandboxing Verify that the application avoids the use of eval() or other dynamic code execution features. Where 95 Comply
and Encoding Verification Requirements there is no alternative, any user input being included must be sanitized or sandboxed before being
Requirements executed.
5.2.5 Validation, Sanitization Sanitization and Sandboxing Verify that the application protects against template injection attacks by ensuring that any user 94 Comply
and Encoding Verification Requirements input being included is sanitized or sandboxed.
Requirements
5.2.6 Validation, Sanitization Sanitization and Sandboxing Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data 918 Comply
and Encoding Verification Requirements or HTTP file metadata, such as filenames and URL input fields, use whitelisting of protocols,
Requirements
domains, paths and ports.
5.2.7 Validation, Sanitization Sanitization and Sandboxing Verify that the application sanitizes, disables, or sandboxes user-supplied SVG scriptable content, 159 Comply
and Encoding Verification Requirements especially as they relate to XSS resulting from inline scripts, and foreignObject.
Requirements
5.2.8 Validation, Sanitization Sanitization and Sandboxing Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression 94 Comply
and Encoding Verification Requirements template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar.
Requirements
5.3 Validation, Sanitization Output encoding and - -
and Encoding Verification Injection
Requirements Prevention Requirements
5.3.1 Validation, Sanitization Output encoding and Verify that output encoding is relevant for the interpreter and context required. For example, use 116 Comply
and Encoding Verification Injection
encoders specifically for HTML values, HTML attributes, JavaScript, URL Parameters, HTTP
Requirements Prevention Requirements
headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g.
names with Unicode or
5.3.2 Validation, Sanitization Output encoding and Verify that output encoding preserves the user's chosen character set and locale, such that any 176 Comply
and Encoding Verification Injection
Unicode character point is valid and safely handled. (C4)
Requirements Prevention Requirements
5.3.3 Validation, Sanitization Output encoding and Verify that context-aware, preferably automated - or at worst, manual - output escaping protects 79 Comply
and Encoding Verification Injection
against reflected, stored, and DOM based XSS. (C4)
Requirements Prevention Requirements
5.3.4 Validation, Sanitization Output encoding and Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, 89 Comply
and Encoding Verification Injection ORMs, entity frameworks, or are otherwise protected from database injection attacks. (C3)
Requirements Prevention Requirements
5.3.5 Validation, Sanitization Output encoding and Verify that where parameterized or safer mechanisms are not present, context- specific output 89 Comply
and Encoding Verification Injection encoding is used to protect against injection attacks, such as the use of SQL escaping to protect
Requirements Prevention Requirements against SQL injection. (C3, C4)
5.3.6 Validation, Sanitization Output encoding and Verify that the application projects against JavaScript or JSON injection attacks, including for eval 830 Comply
and Encoding Verification Injection
attacks, remote JavaScript includes, CSP bypasses, DOM XSS, and JavaScript expression
Requirements Prevention Requirements
evaluation. (C4)
5.3.7 Validation, Sanitization Output encoding and Verify that the application protects against LDAP Injection vulnerabilities, or that specific security 943 Comply
and Encoding Verification Injection
controls to prevent LDAP Injection have been implemented. (C4)
Requirements Prevention Requirements
5.3.8 Validation, Sanitization Output encoding and Verify that the application protects against OS command injection and that operating system 78 Comply
and Encoding Verification Injection calls use parameterized OS queries or use contextual command line output encoding. (C4)
Requirements Prevention Requirements
5.3.9 Validation, Sanitization Output encoding and Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks. 829 Comply
and Encoding Verification Injection
Requirements Prevention Requirements
5.3.10 Validation, Sanitization Output encoding and Verify that the application protects against XPath injection or XML injection attacks. (C4) 643 Comply
and Encoding Verification Injection
Requirements Prevention Requirements
5.5 Validation, Sanitization Deserialization Prevention - -
and Encoding Verification Requirements
Requirements
ASVS No. Categories Sub Categories Requirements CWE Compliance Remark
5.5.1 Validation, Sanitization Deserialization Verify that serialized objects use integrity checks or are encrypted to prevent hostile object 502 Comply
and Encoding Verification Prevention creation or data tampering. (C5)
Requirements Requirements
5.5.2 Validation, Sanitization Deserialization Prevention Verify that the application correctly restricts XML parsers to only use the most restrictive 611 Comply
and Encoding Verification Requirements configuration possible and to ensure that unsafe features such as resolving external entities are
Requirements
disabled to prevent XXE.
5.5.3 Validation, Sanitization Deserialization Prevention Verify that deserialization of untrusted data is avoided or is protected in both custom code and 502 Comply
and Encoding Verification Requirements third-party libraries (such as JSON, XML and YAML parsers).
Requirements
5.5.4 Validation, Sanitization Deserialization Prevention Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the 95 Comply
and Encoding Verification Requirements JSON
Requirements document. Do not use eval() to parse JSON.
6 Stored Cryptography - - -
Verification
6.2 Stored Cryptography Algorithms - -
Verification
6.2.1 Stored Cryptography Algorithms Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable 310 Comply
Verification
Padding Oracle attacks.
7 Requirements
Error Handling and Logging - - -
Verification Requirements
7.1 Error Handling and Logging Log Content Requirements - -
Verification Requirements
7.1.1 Error Handling and Logging Log Content Requirements Verify that the application does not log credentials or payment details. Session tokens should only be 532 Comply
Verification Requirements stored in logs in an irreversible, hashed form. (C9, C10)
7.1.2 Error Handling and Logging Log Content Requirements Verify that the application does not log other sensitive data as defined under local privacy laws or 532 Comply
Verification Requirements relevant security policy. (C9)
7.4 Error Handling and Logging Error Handling - -
Verification Requirements
7.4.1 Error Handling and Logging Error Handling Verify that a generic message is shown when an unexpected or security sensitive error occurs, 210 Comply
Verification Requirements potentially with a unique ID which support personnel can use to investigate. (C10)
8 Data Protection Verification - - -
Requirement
8.2 Data Protection Verification Client-side Data - -
Requirement Protection
8.2.1 Data Protection Verification Client-side Data Protection Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in 525 Comply
Requirement modern browsers.
8.2.2 Data Protection Verification Client-side Data Protection Verify that data stored in client side storage (such as HTML5 local storage, session storage, 922 Comply
Requirement IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII.
8.2.3 Data Protection Verification Client-side Data Protection Verify that authenticated data is cleared from client storage, such as the browser DOM, after the 922 Comply
Requirement client or session is terminated.
8.3 Data Protection Verification Sensitive Private Data - -
Requirement
8.3.1 Data Protection Verification Sensitive Private Data Verify that sensitive data is sent to the server in the HTTP message body or headers, and that 319 Comply
Requirement query string parameters from any HTTP verb do not contain sensitive data.
8.3.2 Data Protection Verification Sensitive Private Data Verify that users have a method to remove or export their data on demand. 212 Not Applicable
Requirement
8.3.3 Data Protection Verification Sensitive Private Data Verify that users are provided clear language regarding collection and use of supplied personal 285 Comply
Requirement information and that users have provided opt-in consent for the use of that data before it is used in any
8.3.4 Data Protection Verification Sensitive Private Data Verify that all sensitive data created and processed by the application has been identified, and 200 Comply
Requirement ensure that a policy is in place on how to deal with sensitive data. (C8)
8.3.5 Data Protection Verification Sensitive Private Data Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is 532 Comply
Requirement collected under relevant data protection directives or where logging of access is required.
8.3.6 Data Protection Verification Sensitive Private Data Verify that sensitive information contained in memory is overwritten as soon as it is no longer 226 Comply
Requirement required to mitigate memory dumping attacks, using zeroes or random data.
8.3.7 Data Protection Verification Sensitive Private Data Verify that sensitive or private information that is required to be encrypted, is encrypted using 327 Comply
Requirement approved algorithms that provide both confidentiality and integrity. (C8)
8.3.8 Data Protection Verification Sensitive Private Data Verify that sensitive personal information is subject to data retention classification, such that old or out 285 Not Applicable
Requirement of date data is deleted automatically, on a schedule, or as the situation requires.
ASVS No. Categories Sub Categories Requirements CWE Compliance Remark
9 Communications Verification - - -
Requirements
9.1 Communications Verification Communications Security - -
Requirements Requirements
9.1.1 Communications Verification Communications Security Verify that secured TLS is used for all client connectivity, and does not fall back to insecure or 319 Comply
Requirements Requirements unencrypted
9.1.2 Communications Verification Communications Security Verify using online or up to date TLS testing tools that only strong algorithms, ciphers, and protocols are 326 Comply
Requirements Requirements enabled, with the strongest algorithms and ciphers set as preferred.
9.1.3 Communications Verification Communications Security Verify that old versions of SSL and TLS protocols, algorithms, ciphers, and configuration are disabled, such 326 Comply
Requirements Requirements as
10 Malicious Code Verification - -SSLv2, SSLv3, or TLS 1.0 and TLS 1.1. The latest version of TLS should be the preferred cipher suite. -
Requirements
10.3 Malicious Code Verification Deployed Application - -
Requirements Integrity
10.3.1 Malicious Code Verification Controls
Deployed Application Verify that if the application has a client or server auto-update feature, updates should be obtained over 16 Comply
Requirements Integrity secure
Controls channels and digitally signed. The update code must validate the digital signature of the update
10.3.2 Malicious Code Verification Deployed Application before that
Verify installing or executing
the application the update.
employs integrity protections, such as code signing or sub-resource integrity. 353 Comply
Requirements Integrity The
Controls application must not load or execute code from untrusted sources, such as loading includes, modules,
10.3.3 Malicious Code Verification Deployed Application plugins,that
Verify code,
theor libraries from
application untrusted sources
has protection or the Internet.
from sub-domain takeovers if the application relies upon DNS 350 Other Not sure
Requirements Integrity entries
Controls or DNS sub-domains, such as expired domain names, out of date DNS pointers or CNAMEs, expired
projects at public source code repos, or transient cloud APIs, serverless functions, or storage buckets
(autogen-bucket- id.cloud.example.com) or similar. Protections can include ensuring that DNS names
11 Business Logic Verification - -used by applications are regularly checked for expiry or change. -
Requirements
11.1 Business Logic Verification Business Logic Security - -
Requirements Requirements
11.1.1 Business Logic Verification Business Logic Security Verify the application will only process business logic flows for the same user in sequential step order 841 Comply
Requirements Requirements and
11.1.2 Business Logic Verification Business Logic Security Verify the application will only process business logic flows with all steps being processed in realistic 779 Comply
Requirements Requirements human
11.1.3 Business Logic Verification Business Logic Security Verify the application has appropriate limits for specific business actions or transactions which are 770 Comply
Requirements Requirements correctly
11.1.4 Business Logic Verification Business Logic Security enforced
Verify theon a per userhas
application basis.
sufficient anti-automation controls to detect and protect against data 770 Comply
Requirements Requirements exfiltration,
11.1.5 Business Logic Verification Business Logic Security excessive
Verify the business logic
application hasrequests,
businessexcessive fileoruploads
logic limits or denial
validation of service
to protect attacks.
against likely business risks or 841 Comply
Requirements Requirements threats,
12 File and Resources - -identified using threat modelling or similar methodologies. -
Verification
12.1 Requirements
File and Resources File Upload Requirements - -
Verification
12.1.1 Requirements
File and Resources File Upload Requirements Verify that the application will not accept large files that could fill up storage or cause a denial of service 400 Comply
Verification attack.
12.3 Requirements
File and Resources File execution Requirements - -
Verification
12.3.1 Requirements
File and Resources File execution Requirements Verify that user-submitted filename metadata is not used directly with system or framework file and 22 Comply
Verification
URL API
12.3.2 Requirements
File and Resources File execution Requirements Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, 73 Comply
Verification updating or removal of local files (LFI).
12.3.3 Requirements
File and Resources File execution Requirements Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or 98 Comply
Verification
execution
12.3.4 Requirements
File and Resources File execution Requirements Verify that the application protects against reflective file download (RFD) by validating or ignoring user- 641 Comply
Verification submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should
Requirements be set to text/plain, and the Content-Disposition header should have a fixed filename.
12.3.5 File and Resources File execution Requirements Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS 78 Comply
Verification command injection.
Requirements
ASVS No. Categories Sub Categories Requirements CWE Compliance Remark
12.4 File and Resources Verification File Storage Requirements - -
Requirements
12.4.1 File and Resources Verification File Storage Requirements Verify that files obtained from untrusted sources are stored outside the web root, with limited 922 Not Applicable
Requirements
permissions, preferably with strong validation.
12.4.2 File and Resources Verification File Storage Requirements Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent 509 Not Applicable
Requirements upload of
12.5 File and Resources Verification File Download Requirements- -
Requirements
12.5.1 File and Resources Verification File Download Requirements Verify that the web tier is configured to serve only files with specific file extensions to prevent 552 Comply
Requirements unintentional
information and source code leakage. For example, backup files (e.g. .bak), temporary working files
(e.g. .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly used by editors should
12.5.2 be blocked
File and Resources Verification File Download Requirements Verify unless requests
that direct required.to uploaded files will never be executed as HTML/JavaScript content. 434 Comply
Requirements
12.6 File and Resources Verification SSRF Protection - -
Requirements Requirements
12.6.1 File and Resources Verification SSRF Protection Verify that the web or application server is configured with a whitelist of resources or systems to which 918 Comply
Requirements Requirements the
13 API and Web Service - server
- can send requests or load data/files from. -
Verification
13.1 Requirements
API and Web Service Generic Web Service - -
Verification
Requirements Security
Verification Requirements
13.1.1 API and Web Service Generic Web Service SecurityVerify that all application components use the same encodings and parsers to avoid parsing attacks that 116 Comply
Verification
Requirements exploit URI or file parsing behavior that could be used in SSRF and RFI attacks.
Verification Requirements different
13.1.2 API and Web Service Generic Web Service SecurityVerify that access to administration and management functions is limited to authorized administrators. 419 Comply
Verification
Requirements Verification Requirements
13.1.3 API and Web Service Generic Web Service Security Verify API URLs do not expose sensitive information, such as the API key, session tokens etc. 598 Comply
Verification
Requirements Verification Requirements
13.2 API and Web Service RESTful Web Service - -
Verification
Requirements Verification Requirements
13.2.1 API and Web Service RESTful Web Service Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing 650 Comply
Verification Verification Requirements normal
13.2.2 Requirements
API and Web Service RESTful Web Service users using
Verify DELETE
that JSON or PUTvalidation
schema on protected
is in API or and
place resources.
verified before accepting input. 20 Comply
Verification
Requirements Verification Requirements
13.2.3 API and Web Service RESTful Web Service Verify that RESTful web services that utilize cookies are protected from CrossSite Request Forgery via the 352 Comply
Verification Verification Requirements use
Requirements of at least one or more of the following: triple or double submit cookie pattern (see ref erences), CSRF
13.3 API and Web Service SOAP Web Service nonces,
- or ORIGIN request header checks. -
Verification
Requirements Verification Requirements
13.3.1 API and Web Service SOAP Web Service Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by 20 Not Applicable
Verification
Requirements Verification
Requirements
validation of each input field before any processing of that data takes place.
14 Configuration Verification - - -
Requirements
14.2 Configuration Verification Dependency - -
Requirements
14.2.1 Configuration Verification Dependency Verify that all components are up to date, preferably using a dependency checker during build or compile 1026 Comply
Requirements time.
14.2.2 Configuration Verification Dependency (C2) 1002 Comply
Verify that all unneeded features, documentation, samples, configurations are removed, such as sample
Requirements
applications, platform documentation, and default or example users.
14.2.3 Configuration Verification Dependency Verify that if application assets, such as JavaScript libraries, CSS stylesheets or web fonts, are hosted 714 Comply
Requirements externally
on a content delivery network (CDN) or external provider, Subresource Integrity (SRI) is used to
14.3 Configuration Verification Unintended Security -validate the integrity of the asset. -
Requirements Disclosure Requirements
14.3.1 Configuration Verification Unintended Security Verify that web or application server and framework error messages are configured to deliver user 209 Comply
Requirements Disclosure Requirements actionable,
14.3.2 Configuration Verification Unintended Security customized responses to eliminate any unintended security disclosures. 497 Comply
Verify that web or application server and application framework debug modes are disabled in
Requirements Disclosure Requirements production to
ASVS No. Categories Sub Categories Requirements CWE Compliance Remark
14.3.3 Configuration Verification Unintended Security Verify that the HTTP headers or any part of the HTTP response do not expose detailed version 200 Comply
Requirements Disclosure Requirements information of
14.4 Configuration Verification HTTP Security Headers -system components. -
Requirements Requirements
14.4.1 Configuration Verification HTTP Security Headers Verify that every HTTP response contains a content type header specifying a safe character set (e.g., 173 Comply
Requirements Requirements UTF-8, ISO
14.4.2 Configuration Verification HTTP Security Headers 8859-1).
Verify that all API responses contain Content-Disposition: attachment; filename="api.json" (or other 116 Comply
Requirements Requirements appropriate
14.4.3 Configuration Verification HTTP Security Headers filename
Verify thatfor the content
a content type).
security policy (CSPv2) is in place that helps mitigate impact for XSS attacks like 1021 Comply
Requirements Requirements HTML,
14.4.4 Configuration Verification HTTP Security Headers DOM, JSON,
Verify that alland JavaScript
responses injection
contain vulnerabilities.
X-Content-Type-Options: nosniff. 116 Comply
Requirements Requirements
14.4.5 Configuration Verification HTTP Security Headers Verify that HTTP Strict Transport Security headers are included on all responses and for all subdomains, 523 Comply
Requirements Requirements such as
14.4.6 Configuration Verification HTTP Security Headers Strict-Transport-Security:
Verify max-age=15724800;
that a suitable "Referrer-Policy" header isincludeSubdomains.
included, such as "no-referrer" or "same-origin". 116 Comply
Requirements Requirements
14.4.7 Configuration Verification HTTP Security Headers Verify that a suitable X-Frame-Options or Content-Security-Policy: frameancestors header is in use for 346 Comply
Requirements Requirements sites
14.5 Configuration Verification Validate HTTP Request -where content should not be embedded in a third-party site. -
Requirements Header Requirements
14.5.1 Configuration Verification Validate HTTP Request er Verify that the application server only accepts the HTTP methods in use by the application or API, 749 Comply
Requirements Head
Requirements
pre-flight OPTIONS.
14.5.2 Configuration Verification Validate HTTP Request er Verify that the supplied Origin header is not used for authentication or access control decisions, as the 346 Comply
Requirements Head
Requirements Origin
header can easily be changed by an attacker.
14.5.3 Configuration Verification Validate HTTP Request er Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header uses a strict 346 Comply
Requirements Head
Requirements white-
list of trusted domains to match against and does not support the "null" origin.

Authorization

OSM Communication & Convergence Product Management Project Manager

Faizal Aidul Fitri / 730497 Singgih Aji Prasetyo

OWASP Application Security Verification Standard
Level 2 Requirements

ASVS No. Categories Sub Categories Requirements CWE Compliance Remark

1 Architecture, Design and Threat - - -
Modeling Requirements
1.1 Architecture, Design and Threat Secure Software Development - -
Modeling Requirements Lifecycle Requirements

1.1.1 Architecture, Design and Threat Secure Software Development Verify the use of a secure software development lifecycle that addresses security in all stages of development. - Comply
Modeling Requirements Lifecycle Requirements (C1)

1.1.2 Architecture, Design and Threat Secure Software Development Verify the use of threat modeling for every design change or sprint planning to identify threats, plan for 1053 Comply
Modeling Requirements Lifecycle Requirements countermeasures, facilitate appropriate risk responses, and guide security testing.

1.1.3 Architecture, Design and Threat Secure Software Development Verify that all user stories and features contain functional security constraints, such as "As a user, I should be 1110 Comply
Modeling Requirements Lifecycle Requirements able to view and edit my profile. I should not be able to view or edit anyone else's profile"

1.1.4 Architecture, Design and Threat Secure Software Development Verify documentation and justification of all the application's trust boundaries, components, and significant 1059 Comply
Modeling Requirements Lifecycle Requirements data flows.

1.1.5 Architecture, Design and Threat Secure Software Development Verify definition and security analysis of the application's high-level architecture and all connected remote 1059 Comply
Modeling Requirements Lifecycle Requirements services. (C1)

1.1.6 Architecture, Design and Threat Secure Software Development Verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security 637 Comply
Modeling Requirements Lifecycle Requirements controls to avoid duplicate, missing, ineffective, or insecure controls. (C10)

1.1.7 Architecture, Design and Threat Secure Software Development Verify availability of a secure coding checklist, security requirements, guideline, or policy to all developers and 637 Comply
Modeling Requirements Lifecycle Requirements testers.

1.2 Architecture, Design and Threat Authentication Architectural - -

Modeling Requirements Requirements
1.2.1 Architecture, Design and Threat Authentication Architectural Verify the use of unique or special low-privilege operating system accounts for all application components, 250 Comply
Modeling Requirements Requirements services, and servers. (C3)
1.2.2 Architecture, Design and Threat Authentication Architectural Verify that communications between application components, including APIs, middleware and data layers, are 306 Comply
Modeling Requirements Requirements authenticated. Components should have the least necessary privileges needed. (C3)
1.2.3 Architecture, Design and Threat Authentication Architectural Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be 306 Comply
Modeling Requirements Requirements extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or
breaches.
1.2.4 Architecture, Design and Threat Authentication Architectural Verify that all authentication pathways and identity management APIs implement consistent authentication 306 Comply
Modeling Requirements Requirements security control strength, such that there are no weaker alternatives per the risk of the application.
1.4 Architecture, Design and Threat Access Control Architectural - -
Modeling Requirements Requirements
Architecture, Design and Threat Access Control Architectural Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions Comply
602
1.4.1 Modeling Requirements Requirements enforce access controls. Never enforce access controls on the client.
Architecture, Design and Threat Access Control Architectural Comply
284
1.4.2 Modeling Requirements Requirements Verify that the chosen access control solution is flexible enough to meet the application's needs.
Architecture, Design and Threat Access Control Architectural Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and Comply
272
1.4.3 Modeling Requirements Requirements other resources. This implies protection against spoofing and elevation of privilege.
Architecture, Design and Threat Access Control Architectural Verify the application uses a single and well-vetted access control mechanism for accessing protected data and Comply
Modeling Requirements Requirements resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative 284
1.4.4 paths. (C7)
Architecture, Design and Threat Access Control Architectural Comply
Modeling Requirements Requirements Verify that attribute or feature-based access control is used whereby the code checks the user's authorization 275
1.4.5 for a feature/data item rather than just their role. Permissions should still be allocated using roles. (C7)
1.5 Architecture, Design and Threat Input and Output Architectural - -
Modeling Requirements Requirements
Architecture, Design and Threat Input and Output Architectural Verify that input and output requirements clearly define how to handle and process data based on type, Comply
1.5.1 1029
Modeling Requirements Requirements content, and applicable laws, regulations, and other policy compliance.
 Architecture, Design and Threat Input and Output Architectural Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure Comply
1.5.2 Modeling Requirements Requirements that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent 502
deserialization attacks including object injection.
Architecture, Design and Threat Input and Output Architectural Comply
1.5.3 Verify that input validation is enforced on a trusted service layer. (C5) 602
Modeling Requirements Requirements
Architecture, Design and Threat Input and Output Architectural Comply
116
1.5.4 Modeling Requirements Requirements Verify that output encoding occurs close to or by the interpreter for which it is intended. (C4)
1.6 Architecture, Design and Threat Cryptographic Architectural - -
Modeling Requirements Requirements
Architecture, Design and Threat Cryptographic Architectural Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key Other Not sure
1.6.1 320
Modeling Requirements Requirements lifecycle follows a key management standard such as NIST SP 800-57.
Architecture, Design and Threat Cryptographic Architectural Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API Comply
1.6.2 320
Modeling Requirements Requirements based alternatives.
Architecture, Design and Threat Cryptographic Architectural Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive Comply
1.6.3 320
Modeling Requirements Requirements data.
Architecture, Design and Threat Cryptographic Architectural Other Not sure
Verify that symmetric keys, passwords, or API secrets generated by or shared with clients are used only in
Modeling Requirements Requirements
1.6.4 protecting low risk secrets, such as encrypting local storage, or temporary ephemeral uses such as parameter 320
obfuscation. Sharing secrets with clients is clear-text equivalent and architecturally should be treated as such.

1.7 Architecture, Design and Threat Errors, Logging and Auditing - -

Modeling Requirements Architectural Requirements
Architecture, Design and Threat Errors, Logging and Auditing Comply
1.7.1 Modeling Requirements Architectural Requirements Verify that a common logging format and approach is used across the system. (C9) 1009
Architecture, Design and Threat Errors, Logging and Auditing Verify that logs are securely transmitted to a preferably remote system for analysis, detection, alerting, and - Comply
1.7.2 Modeling Requirements Architectural Requirements escalation. (C9)
1.8 Architecture, Design and Threat Data Protection and Privacy - -
Modeling Requirements Architectural Requirements
Architecture, Design and Threat Data Protection and Privacy - Comply
1.8.1 Modeling Requirements Architectural Requirements Verify that all sensitive data is identified and classified into protection levels.
Architecture, Design and Threat Data Protection and PrivacyVerify that all protection levels have an associated set of protection requirements, such as encryption - Comply
Modeling Requirements Architectural Requirements requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these
1.8.2 are applied in the architecture.
1.9 Architecture, Design and Threat Communications Architectural - -
Modeling Requirements Requirements
Architecture, Design and Threat Communications Architectural Verify the application encrypts communications between components, particularly when these components are Comply
1.9.1 319
Modeling Requirements Requirements in different containers, systems, sites, or cloud providers. (C3)
Architecture, Design and Threat Communications Architectural Comply
Verify that application components verify the authenticity of each side in a communication link to prevent
1.9.2 Modeling Requirements Requirements 295
person-in-the-middle attacks. For example, application components should validate TLS certificates and chains.

1.10 Architecture, Design and Threat Malicious Software - -

Modeling Requirements Architectural Requirements
Architecture, Design and Threat Malicious Software Verify that a source code control system is in use, with procedures to ensure that check-ins are accompanied by Other Not sure
1.10.1 Modeling Requirements Architectural Requirements issues or change tickets. The source code control system should have access control and identifiable users to 284
allow traceability of any changes.
1.11 Architecture, Design and Threat Business Logic Architectural - -
Modeling Requirements Requirements
Architecture, Design and Threat Business Logic Architectural Verify the definition and documentation of all application components in terms of the business or security Comply
1.11.1 1059
Modeling Requirements Requirements functions they provide.
Architecture, Design and Threat Business Logic Architectural Verify that all high-value business logic flows, including authentication, session management and access Comply
1.11.2 362
Modeling Requirements Requirements control, do not share unsynchronized state.
1.12 Architecture, Design and Threat Secure File Upload - -
Modeling Requirements Architectural Requirements
Architecture, Design and Threat Secure File Upload Comply
1.12.1 Verify that user-uploaded files are stored outside of the web root. 552
Modeling Requirements Architectural Requirements
Architecture, Design and Threat Secure File Upload Comply
Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by
Modeling Requirements Architectural Requirements
1.12.2 either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a 646
suitable content security policy to reduce the risk from XSS vectors or other attacks from the uploaded file.

1.14 Architecture, Design and Threat Configuration Architectural - -

Modeling Requirements Requirements
 Architecture, Design and Threat Configuration Architectural Verify the segregation of components of differing trust levels through well- defined security controls, firewall Comply
1.14.1 923
Modeling Requirements Requirements rules, API gateways, reverse proxies, cloudbased security groups, or similar mechanisms.
Architecture, Design and Threat Configuration Architectural Verify that if deploying binaries to untrusted devices makes use of binary signatures, trusted connections, Comply
1.14.2 494
Modeling Requirements Requirements and verified endpoints.
Architecture, Design and Threat Configuration Architectural Comply
1.14.3 Verify that the build pipeline warns of out-of-date or insecure components and takes appropriate actions. 1104
Modeling Requirements Requirements
Architecture, Design and Threat Configuration Architectural Verify that the build pipeline contains a build step to automatically build and verify the secure deployment of - Comply
1.14.4 Modeling Requirements Requirements the application, particularly if the application infrastructure is software defined, such as cloud environment
build scripts.
Architecture, Design and Threat Configuration Architectural Verify that application deployments adequately sandbox, containerize and/or isolate at the network level to Comply
1.14.5 Modeling Requirements Requirements delay and deter attackers from attacking other applications, especially when they are performing sensitive or 265
dangerous actions such as deserialization. (C5)
Architecture, Design and Threat Configuration Architectural Verify the application does not use unsupported, insecure, or deprecated client- side technologies such as NSAPI Comply
1.14.6 477
Modeling Requirements Requirements plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets.
2.2 Authentication Verification General Authenticator - -
Requirements Requirements
Authentication Verification General Authenticator Verify impersonation resistance against phishing, such as the use of multi-factor authentication, cryptographic Other Not sure
2.2.4 Requirements Requirements devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels, client-side 5.2.5
certificates.
Authentication Verification General Authenticator Verify that where a credential service provider (CSP) and the application verifying authentication are Comply
2.2.5 5.2.6
Requirements Requirements separated, mutually authenticated TLS is in place between the two endpoints.
Authentication Verification General Authenticator Verify replay resistance through the mandated use of OTP devices, cryptographic authenticators, or lookup Not Applicable
2.2.6 5.2.8
Requirements Requirements codes.
Authentication Verification General Authenticator Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a button Not Applicable
2.2.7 5.2.9
Requirements Requirements press on a FIDO hardware key.
2.3 Authentication Verification Authenticator Lifecycle - -
Requirements Requirements
Authentication Verification Authenticator Lifecycle Verify that enrollment and use of subscriber-provided authentication devices are supported, such as a U2F or Other Not sure
2.3.2 6.1.3
Requirements Requirements FIDO tokens.
Authentication Verification Authenticator Lifecycle Other Not sure
2.3.3 Verify that renewal instructions are sent with sufficient time to renew time bound authenticators. 6.1.4
Requirements Requirements
2.4 Authentication Verification Credential Storage - -
Requirements Requirements
Authentication Verification Credential Storage Comply
Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and
Requirements Requirements
2.4.1 hashed using an approved oneway key derivation or password hashing function. Key derivation and password 916
hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash. (C6)

Authentication Verification Credential Storage Verify that the salt is at least 32 bits in length and be chosen arbitrarily to minimize salt value collisions among Comply
2.4.2 916
Requirements Requirements stored hashes. For each credential, a unique salt value and the resulting hash SHALL be stored. (C6)
Authentication Verification Credential Storage Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verification server performance will Comply
2.4.3 916
Requirements Requirements allow, typically at least 100,000 iterations. (C6)
Authentication Verification Credential Storage Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, Comply
2.4.4 916
Requirements Requirements typically at least 13. (C6)
Authentication Verification Credential Storage Verify that an additional iteration of a key derivation function is performed, using a salt value that is secret and Comply
Requirements Requirements known only to the verifier. Generate the salt value using an approved random bit generator [SP 800-90Ar1] and
2.4.5 provide at least the minimum security strength specified in the latest revision of SP 800-131A. The secret salt 916
value SHALL be stored separately from the hashed passwords (e.g., in a specialized device like a hardware
security module).
2.5 Authentication Verification Credential Recovery - -
Requirements Requirements
Authentication Verification Credential Recovery Verify that if OTP or multi-factor authentication factors are lost, that evidence of identity proofing is performed Not Applicable
2.5.7 308
Requirements Requirements at the same level as during enrollment.
2.6 Authentication Verification Look-up Secret Verifier - -
Requirements Requirements
Authentication Verification Look-up Secret Verifier Other Not sure
2.6.1 Verify that lookup secrets can be used only once. 308
Requirements Requirements
Authentication Verification Look-up Secret Verifier Verify that lookup secrets have sufficient randomness (112 bits of entropy), or if less than 112 bits of entropy, Other Not sure
2.6.2 330
Requirements Requirements salted with a unique and random 32-bit salt and hashed with an approved one-way hash.
 Authentication Verification Look-up Secret Verifier Other Not sure
2.6.3 Verify that lookup secrets are resistant to offline attacks, such as predictable values. 310
Requirements Requirements
2.7 Authentication Verification Out of Band Verifier - -
Requirements Requirements
Authentication Verification Out of Band Verifier Other Not sure
2.7.5 Verify that the out of band verifier retains only a hashed version of the authentication code. 256
Requirements Requirements
Authentication Verification Out of Band Verifier Verify that the initial authentication code is generated by a secure random number generator, containing at Other Not sure
2.7.6 310
Requirements Requirements least 20 bits of entropy (typically a six digital random number is sufficient).
2.8 Authentication Verification Single or Multi Factor One - -
Requirements Time Verifier Requirements
Authentication Verification Single or Multi Factor One Verify that symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware Other Not sure
2.8.2 320
Requirements Time Verifier Requirements security module or secure operating system based key storage.
Authentication Verification Single or Multi Factor One Comply
2.8.3 Verify that approved cryptographic algorithms are used in the generation, seeding, and verification. 326
Requirements Time Verifier Requirements
Authentication Verification Single or Multi Factor One Not Applicable
2.8.4 Verify that time-based OTP can be used only once within the validity period. 287
Requirements Time Verifier Requirements
Authentication Verification Single or Multi Factor One Verify that if a time-based multi factor OTP token is re-used during the validity period, it is logged and rejected Not Applicable
2.8.5 287
Requirements Time Verifier Requirements with secure notifications being sent to the holder of the device.
Authentication Verification Single or Multi Factor One Verify physical single factor OTP generator can be revoked in case of theft or other loss. Ensure that revocation Not Applicable
2.8.6 613
Requirements Time Verifier Requirements is immediately effective across logged in sessions, regardless of location.
2.9 Authentication Verification Cryptographic Software and - -
Requirements Devices Verifier Requirements

Authentication Verification Cryptographic Software and Comply

Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as
2.9.1 Requirements Devices Verifier Requirements 320
using a TPM or HSM, or an OS service that can use this secure storage.

Authentication Verification Cryptographic Software and Comply

Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique over the lifetime
2.9.2 Requirements Devices Verifier Requirements 330
of the cryptographic device.

Authentication Verification Cryptographic Software and Comply

2.9.3 Requirements Devices Verifier Requirements Verify that approved cryptographic algorithms are used in the generation, seeding, and verification. 327

2.10 Authentication Verification Service Authentication - -

Requirements Requirements
Authentication Verification Service Authentication Verify that integration secrets do not rely on unchanging passwords, such as API keys or shared privileged Comply
2.10.1 287
Requirements Requirements accounts. Implementation through OS assisted
Authentication Verification Service Authentication Verify that if passwords are required, the credentials are not a default account. Implementation through OS Comply
2.10.2 255
Requirements Requirements assisted
Authentication Verification Service Authentication Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including local Comply
2.10.3 522
Requirements Requirements system access. Implementation through OS assisted
Authentication Verification Service Authentication Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys Comply
Requirements Requirements are managed securely and not included in the source code or stored within source code repositories. Such
2.10.4 storage SHOULD resist offline attacks. The use of a secure software key store (L1), hardware trusted platform 798
module (TPM), or a hardware security module (L3) is recommended for password storage. Implementation
through OS assisted
3 Session Management - - -
Verification Requirements
3.2 Session Management Session Binding Requirements - -
Verification Requirements
Session Management Session Binding Requirements Comply
3.2.4 Verify that session token are generated using approved cryptographic algorithms. (C6) 331
Verification Requirements
3.3 Session Management Session Logout and Timeout - -
Verification Requirements Requirements
Session Management Session Logout and Timeout If authenticators permit users to remain logged in, verify that re-authentication occurs periodically (12 hours, or Comply
3.3.2 613
Verification Requirements Requirements 30 minuties of inactivity) both when actively used or after an idle period, 2FA optional.
Session Management Session Logout and Timeout Verify that the application terminates all other active sessions after a successful password change, and that Comply
3.3.3 613
Verification Requirements Requirements this is effective across the application, federated login (if present), and any relying parties.
Session Management Session Logout and Timeout Comply
3.3.4 Verify that users are able to view and log out of any or all currently active sessions and devices. 613
Verification Requirements Requirements
3.5 Session Management Token-based Session - -
Verification Management
Comply
Requirements Session Token-based Session Verify the application does not treat OAuth and refresh tokens — on their own — as the presence of
3.5.1 290
Management Verification Management the subscriber and allows users to terminate trust relationships with linked applications.
Comply
Requirements
Session Management Token-based Session Verify the application uses session tokens rather than static API secrets and keys, except with
3.5.2 798
Verification Requirements Management legacy implementations. Comply
Session Management Token-based Session Verify that stateless session tokens use digital signatures, encryption, and other countermeasures to
3.5.3 345
Verification Requirements Management protect against tampering, enveloping, replay, null cipher, and key substitution attacks.
4 Access Control Verification - - -
Requirements
4.3 Access Control Verification Other Access Control - -
Requirements Considerations Comply
Access Control Verification Other Access Control Verify the application has additional authorization (such as step up or adaptive authentication) for lower
4.3.3 Requirements Considerations value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as 732
per the risk of application and past fraud.
5 Validation, Sanitization - - -
and Encoding Verification
Requirements
5.4 Validation, Sanitization Memory, String, - -
and Encoding Verification and Unmanaged
Requirements Code Requirements Comply
Validation, Sanitization Memory, String,
Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect
5.4.1 and Encoding Verification and Unmanaged 120
or prevent stack, buffer, or heap overflows.
Requirements Code Requirements Comply
Validation, Sanitization Memory, String,
5.4.2 and Encoding Verification and Unmanaged Verify that format strings do not take potentially hostile input, and are constant. 134
Requirements Code Requirements Comply
Validation, Sanitization Memory, String,
5.4.3 and Encoding Verification and Unmanaged Verify that sign, range, and input validation techniques are used to prevent integer overflows. 190
Requirements Code Requirements
6 Stored Cryptography Verification - -
- Requirements
6.1 Stored Cryptography Verification Data Classification - -
Requirements Comply
Stored Cryptography n Data Classification Verify that regulated private data is stored encrypted while at rest, such as personally identifiable information
6.1.1 311
Verificatio (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR. Comply
Requirements
Stored Cryptography n Data Classification Verify that regulated health data is stored encrypted while at rest, such as medical records, medical
6.1.2 311
Verificatio device details, or de-anonymized research records. Comply
Requirements
Stored Cryptography n Data Classification Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults
6.1.3 311
Verificatio or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records.
6.2 Requirements
Stored Cryptography Verification Algorithms - -
Requirements Comply
Stored Cryptography n Algorithms Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are
6.2.2 327
Verificatio used, instead of custom coded cryptography. (C8) Comply
Requirements
Stored Cryptography n Algorithms Verify that encryption initialization vector, cipher configuration, and block modes are configured securely
6.2.3 326
Verificatio using the latest advice. Comply
Requirements
Stored Cryptography n Algorithms Verify that random number, encryption or hashing algorithms, key lengths, rounds, ciphers or modes, can
6.2.4 326
Verificatio be reconfigured, upgraded, or swapped at any time, to protect against cryptographic breaks. (C8) Comply
Requirements
Stored Cryptography n Algorithms Verify that known insecure block modes (i.e. ECB, etc.), padding modes (i.e. PKCS#1 v1.5, etc.), ciphers
6.2.5 Verificatio with small block sizes (i.e. Triple-DES, Blowfish, etc.), and weak hashing algorithms (i.e. MD5, SHA1, etc.) 326
Requirements are not used unless required for backwards compatibility. Comply
Stored Cryptography n Algorithms Verify that nonces, initialization vectors, and other single use numbers must not be used more than once
6.2.6 326
Verificatio with a given encryption key. The method of generation must be appropriate for the algorithm being used.
6.3 Requirements
Stored Cryptography Verification Random Values - -
Requirements Comply
Stored Cryptography n Random Values Verify that all random numbers, random file names, random GUIDs, and random strings are generated
6.3.1 Verificatio using the cryptographic module's approved cryptographically secure random number generator when these 338
Requirements random values are intended to be not guessable by an attacker.
 Stored Cryptography Verification Random Values Verify that random GUIDs are created using the GUID v4 algorithm, and a cryptographically-secure pseudo- Comply
6.3.2 Requirements random number generator (CSPRNG). GUIDs created using other pseudo-random number generators may be 338
predictable.
6.4 Stored Cryptography Verification Secret Management - -
Requirements
Stored Cryptography Verification Secret Management Verify that a secrets management solution such as a key vault is used to securely create, store, control access Comply
6.4.1 798
Requirements to and destroy secrets. (C8)
Stored Cryptography Verification Secret Management Verify that key material is not exposed to the application but instead uses an isolated security module like a Comply
6.4.2 320
Requirements vault for cryptographic operations. (C8)
7 Error Handling and Logging - - -
Verification Requirements
7.1 Error Handling and Logging Log Content Requirements - -
Verification Requirements
Error Handling and Logging Log Content Requirements Verify that the application logs security relevant events including successful and failed authentication events, 778 Partially
7.1.3
Verification Requirements access control failures, deserialization failures and input validation failures. (C5, C7) Implemented
Error Handling and Logging Log Content Requirements Verify that each log event includes necessary information that would allow for a detailed investigation of the Comply
7.1.4 778
Verification Requirements timeline when an event happens. (C9)
7.2 Error Handling and Logging Log Processing Requirements - -
Verification Requirements
Error Handling and Logging Log Processing Requirements Verify that all authentication decisions are logged, without storing sensitive session identifiers or passwords. Comply
7.2.1 778
Verification Requirements This should include requests with relevant metadata needed for security investigations.
Error Handling and Logging Log Processing Requirements Verify that all access control decisions can be logged and all failed decisions are logged. This should include Comply
7.2.2 285
Verification Requirements requests with relevant metadata needed for security investigations.
7.3 Error Handling and Logging Log Protection Requirements - -
Verification Requirements
Error Handling and Logging Log Protection Requirements Comply
7.3.1 Verify that the application appropriately encodes user-supplied data to prevent log injection. (C9) 117
Verification Requirements
Error Handling and Logging Log Protection Requirements Comply
7.3.2 Verify that all events are protected from injection when viewed in log viewing software. (C9) 117
Verification Requirements
Error Handling and Logging Log Protection Requirements Comply
7.3.3 Verify that security logs are protected from unauthorized access and modification. (C9) 200
Verification Requirements
Error Handling and Logging Log Protection Requirements Verify that time sources are synchronized to the correct time and time zone. Strongly consider logging only in - Comply
7.3.4
Verification Requirements UTC if systems are global to assist with postincident forensic analysis. (C9)
7.4 Error Handling and Logging Error Handling - -
Verification Requirements
Error Handling and Logging Error Handling Verify that exception handling (or a functional equivalent) is used across the codebase to account for expected Comply
7.4.2 544
Verification Requirements and unexpected error conditions. (C10)
Error Handling and Logging Error Handling Comply
7.4.3 Verify that a "last resort" error handler is defined which will catch all unhandled exceptions. (C10) 460
Verification Requirements
8 Data Protection Verification - - -
Requirement
8.1 Data Protection Verification General Data Protection - -
Requirement
Data Protection Verification General Data Protection Verify the application protects sensitive data from being cached in server components such as load balancers Comply
8.1.1 524
Requirement and application caches.
Data Protection Verification General Data Protection Verify that all cached or temporary copies of sensitive data stored on the server are protected from Comply
8.1.2 524
Requirement unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.
Data Protection Verification General Data Protection Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, Comply
8.1.3 233
Requirement cookies and header values.
Data Protection Verification General Data Protection Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour Comply
8.1.4 770
Requirement or day, or whatever makes sense for the application.
9 Communications Verification - - -
Requirements
9.2 Communications Verification Server Communications - -
Requirements Security Requirements
Communications Verification Server Communications Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self- Comply
9.2.1 Requirements Security Requirements signed certificates are used, the server must be configured to only trust specific internal CAs and specific self- 295
signed certificates. All others should be rejected.
 Communications Verification Server Communications Verify that encrypted communications such as TLS is used for all inbound and outbound connections, including Comply
Requirements Security Requirements for management ports, monitoring, authentication, API, or web service calls, database, cloud, serverless,
9.2.2 319
mainframe, external, and partner connections. The server must not fall back to insecure or unencrypted
protocols.
Communications Verification Server Communications Verify that all encrypted connections to external systems that involve sensitive information or functions are Comply
9.2.3 287
Requirements Security Requirements authenticated.
Communications Verification Server Communications Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is Comply
9.2.4 299
Requirements Security Requirements enabled and configured.
10 Malicious Code Verification - - -
Requirements
10.2 Malicious Code Verification Malicious Code Search - -
Requirements
Malicious Code Verification Malicious Code Search Verify that the application source code and third party libraries do not contain unauthorized phone home or Comply
10.2.1 Requirements data collection capabilities. Where such functionality exists, obtain the user's permission for it to operate 359
before collecting any data.
Malicious Code Verification Malicious Code Search Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or Comply
10.2.2 272
Requirements sensors, such as contacts, cameras, microphones, or location.
11 Business Logic Verification - - -
Requirements
11.1 Business Logic Verification Business Logic Security - -
Requirements Requirements
Business Logic Verification Business Logic Security Verify the application does not suffer from "time of check to time of use" (TOCTOU) issues or other race Other Not sure
11.1.6 367
Requirements Requirements conditions for sensitive operations.
Business Logic Verification Business Logic Security Verify the application monitors for unusual events or activity from a business logic perspective. For example, Comply
11.1.7 754
Requirements Requirements attempts to perform actions out of order or actions which a normal user would never attempt. (C9)
Business Logic Verification Business Logic Security Not Comply
11.1.8 Verify the application has configurable alerting when automated attacks or unusual activity is detected. 390
Requirements Requirements
12 File and Resources Verification - - -
Requirements
12.1 File and Resources Verification File Upload Requirements - -
Requirements
File and Resources Verification File Upload Requirements Verify that compressed files are checked for "zip bombs" - small input files that will decompress into huge files Comply
12.1.2 409
Requirements thus exhausting file storage limits.
File and Resources Verification File Upload Requirements Verify that a file size quota and maximum number of files per user is enforced to ensure that a single user Comply
12.1.3 770
Requirements cannot fill up the storage with too many files, or excessively large files.
12.2 File and Resources Verification File Integrity Requirements - -
Requirements
File and Resources Verification File Integrity Requirements Verify that files obtained from untrusted sources are validated to be of expected type based on the file's Comply
12.2.1 434
Requirements content.
12.3 File and Resources Verification File execution Requirements - -
Requirements
File and Resources Verification File execution Requirements Verify that the application does not include and execute functionality from untrusted sources, such as unverified Comply
12.3.6 829
Requirements content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs.
13 API and Web Service Verification - - -
Requirements
13.1 API and Web Service Verification Generic Web Service Security - -
Requirements Verification Requirements
API and Web Service Verification Generic Web Service Security Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security Comply
13.1.4 285
Requirements Verification Requirements at the controller or router, and at the resource level, enforced by model-based permissions.
API and Web Service Verification Generic Web Service Security Verify that requests containing unexpected or missing content types are rejected with appropriate headers Comply
13.1.5 434
Requirements Verification Requirements (HTTP response status 406 Unacceptable or 415 Unsupported Media Type).
13.2 API and Web Service Verification RESTful Web Service - -
Requirements Verification Requirements
API and Web Service Verification RESTful Web Service Verify that REST services have anti-automation controls to protect against excessive calls, especially if the API Comply
13.2.4 779
Requirements Verification Requirements is unauthenticated.
API and Web Service Verification RESTful Web Service Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as Comply
13.2.5 436
Requirements Verification Requirements application/xml or application/JSON.
 API and Web Service Verification RESTful Web Service Verify that the message headers and payload are trustworthy and not modified in transit. Requiring strong Comply
Requirements Verification Requirements encryption for transport (TLS only) may be sufficient in many cases as it provides both confidentiality and
13.2.6 integrity protection. Permessage digital signatures can provide additional assurance on top of the transport 345
protections for high-security applications but bring with them additional complexity and risks to weigh against
the benefits.
13.3 API and Web Service Verification SOAP Web Service - -
Requirements Verification Requirements
API and Web Service Verification SOAP Web Service Verification Verify that the message payload is signed using WS-Security to ensure reliable transport between client and Comply
13.3.2 Requirements Requirements service. 345

13.4 API and Web Service Verification GraphQL and other Web - -
Requirements Service Data Layer Security
Requirements
API and Web Service Verification GraphQL and other Web Verify that query whitelisting or a combination of depth limiting and amount limiting should be used to prevent Not Applicable
13.4.1 Requirements Service Data Layer Security GraphQL or data layer expression denial of service (DoS) as a result of expensive, nested queries. For more 770
Requirements advanced scenarios, query cost analysis should be used.
API and Web Service Verification GraphQL and other Web Not Applicable
Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer
13.4.2 Requirements Service Data Layer Security 285
instead of the GraphQL layer.
Requirements
14 Configuration Verification - - -
Requirements
14.1 Configuration Verification Build - -
Requirements
Configuration Verification Build Verify that the application build and deployment processes are performed in a secure and repeatable way, such - Not Comply
14.1.1
Requirements as CI / CD automation, automated configuration management, and automated deployment scripts.
Configuration Verification Build Verify that compiler flags are configured to enable all available buffer overflow protections and warnings, Comply
14.1.2 Requirements including stack randomization, data execution prevention, and to break the build if an unsafe pointer, memory,
format string, integer, or string operations are found. 120
Configuration Verification Build Verify that server configuration is hardened as per the recommendations of the application server and Comply
14.1.3
Requirements frameworks in use. 16
Configuration Verification Build Verify that the application, configuration, and all dependencies can be redeployed using automated deployment - Not Comply
14.1.4 Requirements scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely
fashion.
Configuration Verification Build Verify that authorized administrators can verify the integrity of all securityrelevant configurations to detect - Comply
14.1.5
Requirements tampering.
14.2 Configuration Verification Dependency - -
Requirements
Configuration Verification Dependency Verify that third party components come from pre-defined, trusted and continually maintained repositories. Comply
14.2.4 829
Requirements (C2)
Configuration Verification Dependency - Comply
14.2.5 Verify that an inventory catalog is maintained of all third party libraries in use. (C2)
Requirements
Configuration Verification Dependency Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the Comply
14.2.6 265
Requirements required behaviour into the application. (C2)
14.5 Configuration Verification Validate HTTP Request - -
Requirements Header Requirements
Configuration Verification Validate HTTP Request Header Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by Comply
14.5.4 306
Requirements Requirements the application.

Authorization

OSM Communication & Convergence Product Management Project Manager

Faizal Aidul Fitri / 730497 Singgih Aji Prasetyo

OWASP Application Security Verification Standard (ASVS)
Level 3 Requirements

ASVS No. Categories Sub Categories Requirements CWE Compliance Remark

1 Architecture, Design and - - -
Threat
1.11 Modeling Requirements
Architecture, Design and Business Logic - -
Threat Requirements
Modeling Architectural
Requirements
1.11.3 Architecture, Design and Threat Business Logic Verify that all high-value business logic flows, including authentication, session management and access 367 Other Not sure
Modeling Requirements Architectural control are thread safe and resistant to time-of-check and time-of-use race conditions.
2 Authentication Verification -Requirements - -
Requirements
2.2 Authentication Verification General Authenticator - -
Requirements Requirements
2.2.4 Authentication Verification General Authenticator Verify impersonation resistance against phishing, such as the use of multi-factor authentication, 308 Other Not sure
Requirements Requirements cryptographic
devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels,
2.2.5 Authentication Verification General Authenticator client-side
Verify that certificates.
where a credential service provider (CSP) and the application verifying authentication are 319 Comply
Requirements Requirements separated,
2.2.6 Authentication Verification General Authenticator mutually
Verify authenticated
replay resistance TLS is in the
through place between use
mandated the of
two endpoints.
OTP devices, cryptographic authenticators, or 308 Not Applicable
Requirements Requirements lookup
2.2.7 Authentication Verification General Authenticator codes.
Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a 308 Not Applicable
Requirements Requirements button
2.8 Authentication Verification Single or Multi Factor One press
- on a FIDO hardware key. -
Requirements Time Verifier
2.8.7 Authentication Verification Requirements
Single or Multi Factor One Verify that biometric authenticators are limited to use only as secondary factors in conjunction with either 308 Not Applicable
Requirements Time Verifier Requirements something you have and something you know.
2.10 Authentication Verification Service Authentication - -
Requirements Requirements
2.10.1 Authentication Verification Service Authentication Verify that integration secrets do not rely on unchanging passwords, such as API keys or shared privileged 287 Comply
Requirements Requirements accounts. Implementation using HSM
2.10.2 Authentication Verification Service Authentication Verify that if passwords are required, the credentials are not a default account. Implementation using 255 Comply
Requirements Requirements HSM
2.10.3 Authentication Verification Service Authentication Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including 522 Comply
Requirements Requirements local
2.10.4 Authentication Verification Service Authentication systempasswords,
Verify access. Implementation usingdatabases
integrations with HSM and third-party systems, seeds and internal secrets, and 798 Comply
Requirements Requirements API keys
are managed securely and not included in the source code or stored within source code repositories.
Such storage SHOULD resist offline attacks. The use of a secure software key store (L1), hardware
trusted platform module (TPM), or a hardware security module (L3) is recommended for password
3 Session Management - -storage. Implementation using HSM -
Verification Requirements
3.3 Session Management Session Logout and - -
Verification Requirements Timeout
3.3.2 Session Management Requirements
Session Logout and If authenticators permit users to remain logged in, verify that re-authentication occurs periodically (12 613 Comply
Verification Requirements Timeout hours or
3.6 Session Management Requirements
Re-authentication from a -15 minutes of inactivity, with 2FA ) both when actively used or after an idle period, 2FA optional. -
Verification Requirements Federation or Assertion
3.6.1 Session Management Re-authentication from a Verify that relying parties specify the maximum authentication time to CSPs and that CSPs re- 613 Comply
Verification Requirements Federation or Assertion authenticate the
3.6.2 Session Management Re-authentication from a subscriber
Verify that ifCSPs
theyinform
haven'trelying
used aparties
sessionofwithin that
the last period.
authentication event, to allow RPs to determine if they 613 Comply
Verification Requirements Federation or Assertion need
6 Stored Cryptography - to
- re-authenticate the user. -
Verification
6.2 Requirements
Stored Cryptography Algorithms - -
Verification
6.2.7 Requirements
Stored Cryptography Algorithms Verify that encrypted data is authenticated via signatures, authenticated cipher modes, or HMAC to 326 Comply
Verification ensure that
6.2.8 Requirements
Stored Cryptography Algorithms ciphertext
Verify that isallnot altered by an
cryptographic unauthorized
operations party.
are constant-time, with no 'short-circuit' operations in 385 Comply
Verification comparisons,
Requirements calculations, or returns, to avoid leaking information.
ASVS No. Categories Sub Categories Requirements CWE Compliance Remark
6.3 Stored Cryptography Verification Random Values - -
Requirements
6.3.3 Stored Cryptography Verification Random Values Verify that random numbers are created with proper entropy even when the application is under heavy 338 Comply
Requirements load, or
8 Data Protection Verification - -that the application degrades gracefully in such circumstances. -
Requirement
8.1 Data Protection Verification General Data Protection - -
Requirement
8.1.5 Data Protection Verification General Data Protection Verify that regular backups of important data are performed and that test restoration of data is 19 Other Not sure
Requirement performed.
8.1.6 Data Protection Verification General Data Protection Verify that backups are stored securely to prevent data from being stolen or corrupted. 19 Other Not sure
Requirement
9 Communications Verification - - -
Requirements
9.2 Communications Verification Server Communications - -
Requirements Security Requirements
9.2.5 Communications Verification Server Communications Verify that backend TLS connection failures are logged. 544 Comply
Requirements Security Requirements
10 Malicious Code Verification - - -
Requirements
10.1 Malicious Code Verification Code Integrity Controls - -
Requirements
10.1.1 Malicious Code Verification Code Integrity Controls Verify that a code analysis tool is in use that can detect potentially malicious code, such as time 749 Comply
Requirements functions,
10.2 Malicious Code Verification Malicious Code Search unsafe
- file operations and network connections. -
Requirements
10.2.3 Malicious Code Verification Malicious Code Search Verify that the application source code and third party libraries do not contain back doors, such as hard- 507 Comply
Requirements coded or
additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or
anti- debugging, insecure debugging features, or otherwise out of date, insecure, or hidden
10.2.4 Malicious Code Verification Malicious Code Search functionality
Verify that thethat could be source
application used maliciously if discovered.
code and third party libraries does not contain time bombs by 511 Comply
Requirements searching for
10.2.5 Malicious Code Verification Malicious Code Search date and
Verify thattime
the related functions.
application source code and third party libraries does not contain malicious code, such as 511 Comply
Requirements salami
10.2.6 Malicious Code Verification Malicious Code Search attacks, logic
Verify that thebypasses, or logic
application sourcebombs.
code and third party libraries do not contain Easter eggs or any other 507 Comply
Requirements potentially unwanted functionality.

Authorization

OSM Communication & Convergence Product Management Project Manager

Faizal Aidul Fitri / 730497 Singgih Aji Prasetyo

OWASP Application Security Verification Standard
Future Requirement Development

No Categories Sub Categories Requirements CWE Compliance

1 Architecture, Design and Threat - - -
Modeling Requirements
1.3 Architecture, Design and Threat Session Management - -
Modeling Requirements Architectural Requirements
1.13 Architecture, Design and Threat API Architectural - -
Modeling Requirements Requirements
Remark